GLSA-202403-02 : Blender: Multiple Vulnerabilities

high Nessus Plugin ID 191480


The remote host is affected by the vulnerability described in GLSA-202403-02 (Blender: Multiple Vulnerabilities)

- An integer underflow in the DDS loader of Blender leads to an out-of-bounds read, possibly allowing an attacker to read sensitive data using a crafted DDS image file. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1. (CVE-2022-0544)

- An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1. (CVE-2022-0545)

- A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.


All Blender users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=media-gfx/blender-3.1.0

See Also

Plugin Details

Severity: High

ID: 191480

File Name: gentoo_GLSA-202403-02.nasl

Version: 1.0

Type: local

Published: 3/3/2024

Updated: 3/3/2024

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-0546


Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:blender, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/3/2024

Vulnerability Publication Date: 2/24/2022

Reference Information

CVE: CVE-2022-0544, CVE-2022-0545, CVE-2022-0546